(Feat): Initial Commit

backend-deno/middleware/auth.ts

@@ -0,0 +1,102 @@
+import { Context, Next } from "@oak/oak";
+import { verify, create, getNumericDate } from "djwt";
+import { config } from "../config/env.ts";
+import type { JWTPayload, UserRole } from "../types/index.ts";
+
+// Create crypto key from secret
+const encoder = new TextEncoder();
+const keyData = encoder.encode(config.JWT_SECRET);
+
+const cryptoKey = await crypto.subtle.importKey(
+  "raw",
+  keyData,
+  { name: "HMAC", hash: "SHA-256" },
+  false,
+  ["sign", "verify"]
+);
+
+// Generate JWT token
+export async function generateToken(payload: Omit<JWTPayload, "exp" | "iat">): Promise<string> {
+  const expiresIn = config.JWT_EXPIRES_IN;
+  let expSeconds = 7 * 24 * 60 * 60; // Default 7 days
+  
+  if (expiresIn.endsWith("d")) {
+    expSeconds = parseInt(expiresIn) * 24 * 60 * 60;
+  } else if (expiresIn.endsWith("h")) {
+    expSeconds = parseInt(expiresIn) * 60 * 60;
+  } else if (expiresIn.endsWith("m")) {
+    expSeconds = parseInt(expiresIn) * 60;
+  }
+  
+  const token = await create(
+    { alg: "HS256", typ: "JWT" },
+    {
+      ...payload,
+      exp: getNumericDate(expSeconds),
+      iat: getNumericDate(0),
+    },
+    cryptoKey
+  );
+  
+  return token;
+}
+
+// Verify JWT token
+export async function verifyToken(token: string): Promise<JWTPayload | null> {
+  try {
+    const payload = await verify(token, cryptoKey);
+    return payload as unknown as JWTPayload;
+  } catch {
+    return null;
+  }
+}
+
+// Authentication middleware
+export async function authenticateToken(ctx: Context, next: Next): Promise<void> {
+  const authHeader = ctx.request.headers.get("Authorization");
+  const token = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : null;
+  
+  if (!token) {
+    ctx.response.status = 401;
+    ctx.response.body = { error: "Access token required" };
+    return;
+  }
+  
+  const payload = await verifyToken(token);
+  
+  if (!payload) {
+    ctx.response.status = 403;
+    ctx.response.body = { error: "Invalid or expired token" };
+    return;
+  }
+  
+  // Attach user to context state
+  ctx.state.user = payload;
+  await next();
+}
+
+// Authorization middleware factory
+export function authorize(...roles: UserRole[]) {
+  return async (ctx: Context, next: Next): Promise<void> => {
+    const user = ctx.state.user as JWTPayload | undefined;
+    
+    if (!user) {
+      ctx.response.status = 401;
+      ctx.response.body = { error: "Unauthorized" };
+      return;
+    }
+    
+    if (!roles.includes(user.role)) {
+      ctx.response.status = 403;
+      ctx.response.body = { error: "Insufficient permissions" };
+      return;
+    }
+    
+    await next();
+  };
+}
+
+// Get current user from context
+export function getCurrentUser(ctx: Context): JWTPayload {
+  return ctx.state.user as JWTPayload;
+}

backend-deno/middleware/security.ts

@@ -0,0 +1,152 @@
+import { Context, Next } from "@oak/oak";
+import { config } from "../config/env.ts";
+
+// Rate limiting store (in-memory, use Redis in production)
+const rateLimitStore = new Map<string, { count: number; resetTime: number }>();
+
+// Rate limiting middleware
+export async function rateLimit(ctx: Context, next: Next): Promise<void> {
+  const ip = ctx.request.ip || "unknown";
+  const now = Date.now();
+  const windowMs = config.RATE_LIMIT_WINDOW_MS;
+  const maxRequests = config.RATE_LIMIT_MAX_REQUESTS;
+  
+  const record = rateLimitStore.get(ip);
+  
+  if (!record || now > record.resetTime) {
+    rateLimitStore.set(ip, { count: 1, resetTime: now + windowMs });
+  } else {
+    record.count++;
+    
+    if (record.count > maxRequests) {
+      ctx.response.status = 429;
+      ctx.response.body = { 
+        error: "Too many requests",
+        retryAfter: Math.ceil((record.resetTime - now) / 1000)
+      };
+      return;
+    }
+  }
+  
+  await next();
+}
+
+// Security headers middleware
+export async function securityHeaders(ctx: Context, next: Next): Promise<void> {
+  await next();
+  
+  // Prevent clickjacking
+  ctx.response.headers.set("X-Frame-Options", "DENY");
+  
+  // Prevent MIME type sniffing
+  ctx.response.headers.set("X-Content-Type-Options", "nosniff");
+  
+  // XSS protection
+  ctx.response.headers.set("X-XSS-Protection", "1; mode=block");
+  
+  // Referrer policy
+  ctx.response.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
+  
+  // Content Security Policy
+  ctx.response.headers.set(
+    "Content-Security-Policy",
+    "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';"
+  );
+  
+  // Strict Transport Security (only in production with HTTPS)
+  if (config.isProduction()) {
+    ctx.response.headers.set(
+      "Strict-Transport-Security",
+      "max-age=31536000; includeSubDomains"
+    );
+  }
+}
+
+// CORS middleware
+export async function cors(ctx: Context, next: Next): Promise<void> {
+  const origin = ctx.request.headers.get("Origin");
+  const allowedOrigins = config.CORS_ORIGIN.split(",").map(o => o.trim());
+  
+  // Check if origin is allowed
+  if (origin && (allowedOrigins.includes(origin) || allowedOrigins.includes("*"))) {
+    ctx.response.headers.set("Access-Control-Allow-Origin", origin);
+  } else if (config.isDevelopment()) {
+    // Allow all origins in development
+    ctx.response.headers.set("Access-Control-Allow-Origin", origin || "*");
+  }
+  
+  ctx.response.headers.set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
+  ctx.response.headers.set("Access-Control-Allow-Headers", "Content-Type, Authorization");
+  ctx.response.headers.set("Access-Control-Allow-Credentials", "true");
+  ctx.response.headers.set("Access-Control-Max-Age", "86400");
+  
+  // Handle preflight requests
+  if (ctx.request.method === "OPTIONS") {
+    ctx.response.status = 204;
+    return;
+  }
+  
+  await next();
+}
+
+// Request logging middleware
+export async function requestLogger(ctx: Context, next: Next): Promise<void> {
+  const start = Date.now();
+  const { method, url } = ctx.request;
+  
+  await next();
+  
+  const ms = Date.now() - start;
+  const status = ctx.response.status;
+  
+  // Color code based on status
+  let statusColor = "\x1b[32m"; // Green for 2xx
+  if (status >= 400 && status < 500) statusColor = "\x1b[33m"; // Yellow for 4xx
+  if (status >= 500) statusColor = "\x1b[31m"; // Red for 5xx
+  
+  console.log(
+    `${new Date().toISOString()} - ${method} ${url.pathname} ${statusColor}${status}\x1b[0m ${ms}ms`
+  );
+}
+
+// Input sanitization helper
+export function sanitizeInput(input: string): string {
+  return input
+    .replace(/[<>]/g, "") // Remove angle brackets
+    .replace(/javascript:/gi, "") // Remove javascript: protocol
+    .replace(/on\w+=/gi, "") // Remove event handlers
+    .trim();
+}
+
+// Validate email format
+export function isValidEmail(email: string): boolean {
+  const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+  return emailRegex.test(email);
+}
+
+// Validate password strength
+export function isStrongPassword(password: string): { valid: boolean; message?: string } {
+  if (password.length < 8) {
+    return { valid: false, message: "Password must be at least 8 characters long" };
+  }
+  if (!/[A-Z]/.test(password)) {
+    return { valid: false, message: "Password must contain at least one uppercase letter" };
+  }
+  if (!/[a-z]/.test(password)) {
+    return { valid: false, message: "Password must contain at least one lowercase letter" };
+  }
+  if (!/[0-9]/.test(password)) {
+    return { valid: false, message: "Password must contain at least one number" };
+  }
+  return { valid: true };
+}
+
+// Clean up old rate limit entries periodically
+setInterval(() => {
+  const now = Date.now();
+  for (const [ip, record] of rateLimitStore.entries()) {
+    if (now > record.resetTime) {
+      rateLimitStore.delete(ip);
+    }
+  }
+}, 60000); // Clean up every minute